Assign a security team

Last update: March 25 2025

Assign a security team

carefully

We do not recommend configuring security groups on existing networks, as this can cause load balancer failures and disrupt cloud database replication. To avoid failures and data loss, to configure the groups create a new private network or public subnet и enable traffic filtering (port security) in it.

If port security is enabled on the network, when a port is created on the network, it is assigned to a port on the network. default security group. You can also assign a security group explicitly when creating a port or server, it will be assigned instead of the default group.

You can assign a security group:

• to the port-- when creating a port or on an existing port;
• to the server-- at server creation or on an existing server.

In the control panel you can only assign a group to an existing port.

Assign a security group when creating a port⁠

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a port with a security group:

   openstack port create \
     --network <network> \
     --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
     --security-group <security_group> \
     --enable-port-security \
     <port_name>

   Specify:

   • <network> — ID or network name, can be viewed with the command openstack network list. For a public subnet it is the same as the parameter <subnet>;
   • <subnet> — ID or subnet name, can be viewed with the command openstack subnet list;
   • <port_ip_address> — IP address of the port;
   • <security_group> — ID or security group name, can be viewed using the command openstack security group list;
   • <port_name> — port name.

3. Add a port to the server:

   openstack server add port <server> <port>

   Specify:

   • <server> — The ID or name of the cloud server, can be viewed using the command openstack server list;
   • <port> — The ID or name of the port you created in step 2 can be viewed using the command openstack port list.

Assign a group to an existing port⁠

carefully

Once a group is assigned on a port, all active sessions that do not conform to the group rules will be terminated.

Assign a group to a port on a private subnet⁠

Control panel

1. В control panels from the top menu, press Products and select Cloud servers.

2. Go to the section Network → tab Private networks.

3. Open the network page → tab Ports.

4. In the port card, in the security groups field, click .

5. In the field Security groups check the groups you want to assign to the port, or click New security team и create a group.

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Assign a security group to the port:

   openstack port set \
     --security-group <security_group> \
     --enable-port-security \
     <port>

   Specify:

   • <security_group> — ID or security group name, can be viewed using the command openstack security group list;
   • <port> — ID or port name, can be viewed with the command openstack port list.

Assign a group to a port on a public subnet⁠

Control panel

1. В control panels from the top menu, press Products and select Cloud servers.

2. Go to the section Network → tab Public subnets.

3. Open the subnet card → tab Ports.

4. On the port line, in the field Security groups click .

5. In the field Security groups check the groups you want to assign to the port, or click New security team и create a group.

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Assign a security group to the port:

   openstack port set \
     --security-group <security_group> \
     --enable-port-security \
     <port>

   Specify:

   • <security_group> — ID or security group name, can be viewed using the command openstack security group list;
   • <port> — ID or port name, can be viewed with the command openstack port list.

Assign a group when creating a server⁠

The group will only be assigned to ports that are created with the server.

OpenStack CLI

1. Open the OpenStack CLI.

2. Enable port security on the network where you will create the server:

   openstack network set \
     --enable-port-security \
     <network>

   Specify <network> — ID or network name, can be viewed with the command openstack network list.

3. Create a cloud server on the subnet by specifying a security group:

   openstack server create \
     [--image <image> | --volume <volume> | --snapshot <snapshot>] \
     --flavor <flavor> \
     --availability-zone <pool_segment> \
     --nic net-id=<net_uuid> \
     --security-group <security_group> \
     --key-name <key_name> \
     <server_name>

   Specify:

   • source type:

     • --image <image> — to create a server from ready or own image. Parameter <image> — ID or image name, can be viewed with the command openstack image list;
     • --volume <volume> — to create a server from network drive. Parameter <volume> — ID or disk name can be viewed with the command openstack volume list;
     • --snapshot <snapshot> — to create a server from snapshot. Parameter <snapshot> — ID or name of the snapshot can be viewed with the command openstack snapshot list;

   • <flavor> — The ID or name of the flavor. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM, and local disk size (optional) of the server. You can use fixed-configuration flavors or flavor. For example, 4011 — ID to create a Memory Line fixed-configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. The list of flavors can be viewed using the command openstack flavor list or in a table List of fixed-configuration flavorings in all pools;

   • <pool_segment> — pool segment where the cloud server will be created, e.g. ru-9a. The list of available pool segments can be found in the instructions Availability matrices;

   • <net_uuid> — The ID of the private or public network to which the server will be connected can be viewed using the command openstack network list;

   • <key_name> — the name of the service user's SSH key pair. If SSH keys have not been created, generate them. The list can be viewed using the command openstack keypair list;

   • <security_group> — ID or security group name, can be viewed using the command openstack security group list;

   • optional: --block-device-mapping vdb=<extra_volume> — to add an additional disk. Parameter <extra_volume> — ID or name of the additional disk can be viewed with the command openstack volume list;

   • optional: --tag <tag_name> --os-compute-api-version 2.52 — tag to add additional information about the server. Parameter <tag_name> — tag name;

   • optional: --tag preemptible --os-compute-api-version 2.72 — creation tag of an interrupted server;

   • optional: --user-data <user_data.file> — to specify a script to execute when the operating system is first booted. Parameter <user_data.file> — path to the script in Base64 encoding. Examples of scripts can be found in the instruction User data;

   • <server_name> — server name.

Assign a group to an existing server⁠

carefully

Once a group is assigned, all active sessions that do not conform to the group rules will be terminated on the server ports.

The security group will apply to existing server ports and will not be assigned to ports you add later.

OpenStack CLI

1. Enable traffic filtering (port security) on all ports on the server.

2. Open the OpenStack CLI.

3. Assign a security group to the server:

   openstack server add security group \
     <server>
     <security_group>

   Specify:

   • <server> — ID or server name, can be viewed with the command openstack server list;
   • <security_group> — ID or security group name, can be viewed using the command openstack security group list.